SCCM 2012: Deploy Windows updates using Automatic deployment rules

The best way to deploy windows updates according to my experience is by using Automatic Deployment rules.

To setup a working Deployment rule there are few configurations and settings that need to be in place and working without errors.
1. Software Update Point (SUP) : Products and Sync Schedule
2. Site System role : Proxy Account
3. Device Collection : Query based collection
4. Client Settings
5. Automatic deployment rule

1. Software Update Point (SUP):
Lets start by checking SUP configuration.,
Under \Administration\Overview\Site Configuration\Sites
SCAP-0303

Make sure you have selected the proper Operating System under “Products” tab for which you have planned to install updates.
SCAP-0304

Schedule Sync Software Updates under Sync Schedule tab
SCAP-0305

2. Site System Role : Proxy Account
In case if there is a proxy server used to access internet, we need to configure the Account which has access to internet so that the updates get downloaded.
Under \Administration\Overview\Site Configuration\Servers and Site System Roles go to the properties of Site System to configure Proxy Account.
SCAP-0306

SCAP-0307

3. Device Collection : Query Based
For this you need to have a properly planned Active Directory (AD) structure.
Lets say we have a separate Organizational Unit (OU) for Servers and another OU for Computers (user PC).
When a new Server is joined to domain you place the Server Account (computer account) in the Servers OU. Same goes for user PC’s
Here we will focus on Servers.
Now we create a Device collection based on the OU and Operation System installed on server.
Under \Assets and Compliance\Overview\Device Collections\ Right click on Device Collections and Select Create Device Collection
SCAP-0308

Follow the wizard
SCAP-0309

SCAP-0310

SCAP-0311

SCAP-0312

SCAP-0313

SCAP-0314

1st Criteria will be the OU
Value must be the OU that contains Servers computer Account in AD

SCAP-0315

2nd Criteria is Operating System of Server (2008 R2 Std)
User value… button to select OS.
SCAP-0316

3rd Criteria is again Operating System, but this time value is different (2008 R2 Ent)
SCAP-0317

Verify and arrange the query as below
SCAP-0318

Click OK till you reach the main wizard page and Select “Use incremental updates for this collection” and complete the wizard by clicking Next.
SCAP-0319

You will find the Collection starts populating if there are Servers in the OU and matches the criteria we have defined.
SCAP-0320

 

 

 

 

 

 

4. Client Settings
Now we need to setup a custom client settings for in general “Server” device collection
Under \Administration\Overview\Client Settings create a new Device Settings with following as the values.
Note: Here I am showing settings which effect the update deployment.
SCAP-0324

SCAP-0322

The Schedule for Software Updates is very short in the example below, its might increase load on the system.
SCAP-0323

Now we need to apply these settings to Device Collection that we created (Windows Server 2008 R2 Dyn Collection).
Right Click on the Device Settings and Select Deploy option, Select the Collection that we created and complete the wizard.

5. Automatic Deployment Rule

Under \Software Library\Overview\Software Updates\Automatic Deployment Rules, right click and select Create Automatic Deployment Rule.
Follow the Wizard with settings as below.
SCAP-0326

SCAP-0327

This page is very important and make sure you have done proper selection, based on the values specified here the updates will be downloaded.
SCAP-0328
Note: The value for Title is specified as x64, which means any updates which has “x64” in title will be selected, because we generally use x64 bit OS in production.

On schedule page, in the case of updates deployment to server I have selected “Do not run this rule automatically”
Selection of this option depends on how you plan to deploy newly released updates to servers.
If “Do not run this rule automatically” is selected, we need to make sure that we run this ADR manually whenever we are comfortable with newly release updates and want to include those updates in Update Group created by this rule.
In case if we are targetting User PC’s device collection, then the proper selection would be “Run this rule after software update point Sync”
Remember we configured Sync Schedule in 1st section (SUP), when that sync runs on schedule this Automatic Deployment Rule will run and newly released update will be downloaded and included in Update Group.
SCAP-0329

SCAP-0330

SCAP-0331

SCAP-0332

SCAP-0333

On Deployment Package page, If you already have a Defined Package Location use that, else Create a shared folder on Server.
Use that share location to create a new Package.
SCAP-0334

Add a Distribution Point here.
SCAP-0335

SCAP-0336

SCAP-0337

Complete the Automatic Deployment Rule Wizard.

Next, Run the ADR, right click and select Run Now option
This will create a new “Software Update Group” this group contains the updates that are found by the rule.
Use CMTrace and wsyncmgr.log (Sync), Ruleengine.log and Patchdownloader.log (Automatic Deployment Rule) these logs are present on SCCM server.

Once the Server/Client PC receives new client settings, the Update scan and deployment on updates will start as per defined in client settings.
To force Configuration Manager client to download new Policy, use “Configuration manager” found in control panel under the Actions tab and Run “Machine Policy retrieval and evaluation cycle” wait for couple of minutes, Run “Software update scan cycle” wait for few minutes and finally Run “Software updates deployment evaluation cycle”

This post might not be the perfect guide but will give an idea on what all is involved to setup Automatic Deployment Rule.
If you have questions please post in comments.

Hope it helps.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s